HackerOne is a popular platform for vulnerability hunting and disclosure, built on a bounty system for properly disclosed software issues. As Aaron Campbell notes on the WordPress blog, “It provides tools that improve the quality and consistency of communication with reporters, and will reduce the time spent on responding to commonly reported issues. This frees our team to spend more time working on improving the security of WordPress.”
The WordPress page on HackerOne offers guidelines and areas of interest for disclosures. Interestingly, it also highlights areas they are not interested in:
Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Server Side Request Forgery (SSRF)
- Remote Code Execution (RCE)
- SQL Injection (SQLi)
We generally aren’t interested in the following problems:
- Security vulnerabilities in WordPress plugins: here is how to report them
- Reports for hacked websites: here is what you can do
- Users with administrator or editor privileges can post arbitrary JavaScript
- Disclosure of user IDs
- Open API endpoints serving public data (Including usernames and user IDs)
- Path disclosures for errors, warnings, or notices
- WordPress version number disclosure
- Mixed content warnings for passive assets like images and videos
- Lack of HTTP security headers (CSP, X-XSS, etc.)
- Brute force, DDoS, phishing, text injection, or social engineering attacks.
- Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.
- Output from automated scans – please manually verify issues and include a valid proof of concept.
If you think you found an exception, please, let us know.
I’m really happy to see the WordPress project embrace HackerOne, as it’s pretty standard practice for a lot of software projects and large organizations. I think it will also help with researchers who are already accustomed to such a system, versus the sometimes confusing process around emailing the [email protected] address and previous processes around that.
Aaron notes that during the test phase of the HackerOne listing, they’ve already, “awarded more than $3,700 in bounties to seven different reporters.” Confusingly, Automattic has paid out the awards. To me — while I’m thankful Automattic stepped up to cover those costs — it is a perfect opportunity for the WordPress Foundation to play a role.
I’d love to see a more formal fundraising effort around security and this bounty system, funded by the community and managed through the foundation. Perhaps that’s something that can be addressed in the future. While it’s nice for Automattic to foot the bill, I think the separation of concerns would be good for everyone, especially on security issues that are so relevant to the entire community.
